On Mon, Feb 15, 2010 at 10:56 AM, Justin Pettit <[email protected]> wrote:
> On Feb 15, 2010, at 3:27 AM, [email protected] wrote: > > > I can use ovs-ofctl to add flow to deny or allow specific network > traffic. > > Does it supports TCP flags (SYN,ACK etc.)? Is there any way that define > direction (inbound/outbound) of this traffic? > > Open vSwitch's flow matching capabilities are mostly based on what's > defined by OpenFlow. OpenFlow is based on flow-matching, and as such, does > not support match of TCP flags. Also, there's no way to define matching > based on direction. Obviously, you can limit based on ingress port, but I > suspect that's not sufficient for you. > > Jesse has a branch that supports more advanced ACLs when the switch is > disconnected from a controller. It should be merged into our mainline > branches before too long. I don't remember the capabilities off the top of > my head. Jesse, I know it doesn't support inbound/outbound directly, but it > does support egress port, correct? Yes, you can define ACLs based on the switch egress port. However, there is no connection state tracking. Therefore it is possible to define an ACL that prevents a VM from receiving traffic not destined for its IP or MAC address but not an ACL that only allows traffic that is in response to an outgoing connection.
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
